What is MITM attack and how to prevent it ?
MITM stands for Man-In-The-Middle. it simply means someone stands between you and destination and intercepts or modifies your communication. it is quite easy when communication is not encrypted.
SSL protocol is originally invented to address this issue. The idea is that a trusted Authority (CA) authenticates the identity of destination and by using some cryptography protocols your connection to authentic destination becomes encrypted and impossible to intercept or modify.
It has been shown that the cryptography methods like AES or RC4 which are employed to encrypt the data are quite effective and very hard to crack. so the easier solution is to attack the base of trust model, the trusted authorities (CA). In this kind of attacks, hackers break into CA systems and forge valid certificates for themselves so they can impersonate themselves as authentic destinations and intercept the data. this kind of attack is used in both recent incidents, Commodo and DigiNotar.
Although the protocol is almost safe itself, unfortunately many of these CAs are vulnerable themselves making the whole process vulnerable.
The FOX-IT report indicates the DigiNotar systems were using Windows (Which is vulnerable in nature) and passwords has been crackable through brute-force attack. (More on this later)

To understand it better, I have created a diagram of recent MITM attack to Iranian users with the goal of intercepting communications between them and Google. the attackers have been able to gain access to Google accounts of users through this attack :

This diagram is self-explanatory. The attacker in middle impersonates itself as Google and establishes a secure connection to the user which is signed by DigiNotar CA. Although the connection is still secure, but users have a secure connection to the attacker, not real Google. so attacker has access to all information sent by user, including username, passwords, cookies and etc.(more…)

March 29, 2011

I was following up the news regarding the recent attacks to Comodo and gaining access to their cert signing system. Today I found out he has posted some comments regarding his attack and claimed some nonsense , so I decided to write a response to him , here it goes :

First of all you have claimed you are only a 21 years kid , are you kidding ? the aim of the attack has been to create certs signed by Comodo CAs for mail.google.com and login.yahoo.com and etc which can only be used to do man-in-middle type of attack. in fact if you do not have access to internet infrastructure in Iran , these certs have no use ! why would a 21 years old kid want to do that ? if you are interested in some signed certs which can not be used anywhere , next time send an email to me , I will sign some certs myself and send it back to you 🙂 it is very clear that this attack has been done with cooperation of Iran’s government and Iranian revolutionary guards and their cyber army who have access to Iran’s IT infrastructure.

Second I agree what you have done is impressive. it shows your budget and the size of your criminal organization to find security holes in internet. but you have not compromised anything fundamental or serious on internet ! do you think the same trick which you use on Iranian people ( I mean bragging about your power ) will work on the world either ? in fact when I was 21 I could do better than you ( your whole criminal organization ). lol , I can send you some proofs if you like.
because you have signed fake certs for yahoo and google, many people think you have hacked their systems and compromised their security ! but pro people know it has nothing to do with google or yahoo or the security of their systems. everything is intact and secure.
The only companies who should be blamed are Comodo and their Italian partner because of weak security system and I am sure they are already in a lot of trouble by authorities 🙂

Third you talk about breaking RSA 2048 keys and so on , it just makes me laugh. you can not even break the security of RSA 16 bit ! lol
If you had the power to do that , there were no need to generate fake certs from Comodo , you generated these fake certs because you can not decrypt the SSL traffic in Iran ! you need fake signed certs to do man-in-middle attack. it itself shows how weak you are. so come on , do not brag about your power. we all know thats a big lie.

Fourth lets assume you gain access to Comodo root CAs so you can sign the certs yourself , I dont think there is any bigger achievement for you ! you know what happens ? in less than 24 hours all major browsers will update their software and revoke the certificate. as simple as that. so I recommend you to waste your time on better solutions.

Fifth I would like to thank you guys for doing this personally , what you did had no gains for you and showed your real face to the world. I am not going to get political on this post 🙂 but it had a lot of benefits to the security of the internet. I am sure authorities are already working on implementing more secure and safe procedures to generate certificates and check for revoked certs. Thank You.

And at last I would like to talk to Iranian people , they are just trying to frighten you. they have not compromised anything serious on internet. this attack shows they have nothing in hand. these fake certs CAN NOT be used the decrypt SSL traffic. always use VPN encrypted connections and for emails use SSL connections , Gmail is the best. also always use the latest versions of Google Chrome and Firefox for browsing the web. NEVER USE INTERNET EXPLORER ! not even version 9. and you will be safe 🙂

June 11, 2009

Z3r0 day in hypervm?? plz u give us too much credit. If you really really wanna know how you got wtfpwned bitch it was ur own stupidity and excessive passwd reuse. Rus’s passwds are
Code:

e2x2%sin0ei unf1shf4rt 3^%3df 1/2=%mod5 f0ster

f0ster being the latest one, quite secure eh bitches? We were in ur networks sniffing ur passwds for the past two months quite funny this openvz crap is we could just get into any VPS we like at any time thanks to ur mad passwds. But we got bored so we decided to initiate operation rmfication and hypervm was a great t00l to do that since it spared us the time of sshing into all ur 200 boxen just to issue rm -rf. Coded a little .pl to do just that, take a look at this eleet output it’s mad dawg
Code:

Did the same fo ****vps.com after resetting the passwd to hyper ve emz, it was ever so much fun you should try it sometime Rus it’s GREAT!
BTW to all the customers we deleted ur loving provider is overselling their crappy 8gb nodez to hell and back, thought you’d like to know, you can also thank ur loving buddy Rus for losing ur data hihi. BTW Rus we still have ur billing system wtfpwned and baqdoored we got shitload of CCz from ur retarded customers thanks a lot buddy. Telling you this cuz we got bored of this ****, it’s just too easy and monotonous so patch ur crap, if your too dumb to secure a simple web server my rate is $100/hour or one night with ur sister hauhaiahiaha.
Also wheres ur team Rus? the only ****ers i saw in ur billing sys are Kody, Vlada and u you guys work like ****ing hindus i bet but ur cheap like jews lolz hire some pros like me to help you out manage all those retards VPSs lolololl
Code:

Fun stuff think we gonna sell all those emails to some spammers to make some quick bucks lol, and yes their main site was a VPS lolol which is why we got quick access thanks to ur passwd reuse, your awesome Rus.